Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Selva]

Hi,

And the rationale for the patch:

On Mon, Jul 17, 2017 at 8:22 AM, Jan Just Keijser  wrote:

> On 17/07/17 14:14, Gert Doering wrote:
>
>> Hi,
>>
>> On Mon, Jul 17, 2017 at 02:10:11PM +0200, Jan Just Keijser wrote:
>>
>>> this problem is NOT present in OpenVPN 2.3.17; the same warning appears
>>> (route gateway is ambiguous) but the route is added
>>> anyway. This seems to be a regression in 2.4.
>>>
>> Can we have a log, please?
>>
>>
>> attached: config and log (with hostnames anonymized)


As in the logs,

Mon Jul 17 14:18:43 2017 us=1227 C:\Windows\system32\route.exe ADD
222.222.97.13 MASK 255.255.255.255 111.111.135.254
Mon Jul 17 14:18:43 2017 us=1227 Warning: route gateway is ambiguous:
111.111.135.254 (2 matches)

when multiple interfaces match a route, we bail out with a warning unless
the route method used is exe. This code is the same in 2.3.17 and 2.4.3
except the latter defaults to using IPAPI invoked via the service. 2.3.7
also defaults to IPAPI but falls back to exe if the former fails.

Looking the sources: In tun.c
adapter_index_of_ip() returns the index of the first matching adapter and
the number of matching adapters found. If the count is > 1
windows_route_find_if_index() in route.c sets the index to
TUN_ADAPTER_INDEX_INVALID and route addition gets aborted.

We could slightly modify adapter_index_of_ip() to return the matching index
with smallest metric when more than one are found.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Selva]

On Sun, Nov 5, 2017 at 12:11 PM, Gert Doering  wrote:

> Hi,
>
> On Mon, Jul 17, 2017 at 02:22:55PM +0200, Jan Just Keijser wrote:
> > On 17/07/17 14:14, Gert Doering wrote:
> > > Hi,
> > >
> > > On Mon, Jul 17, 2017 at 02:10:11PM +0200, Jan Just Keijser wrote:
> > >> this problem is NOT present in OpenVPN 2.3.17; the same warning
> appears (route gateway is ambiguous) but the route is added
> > >> anyway. This seems to be a regression in 2.4.
> > > Can we have a log, please?
> > attached: config and log (with hostnames anonymized)
>
> This indeed is a regression, or a "non-handled special case in the
> iservice"
> (waking up Selva and Heiko).


> 2.3 is calling route.exe, which seems to just handle this case fine
> ("the given gateway address is present on two different interfaces",
> which I find ambiguous myself :-) ).
>

When this was reported I had made a patch to handle this, somehow forgot to
send it in. Or could be that I was not totally happy with it (or not
tested). Anyway,
the next email has the patch as I have it -- will do any cleanup if needed
provided
it looks sensible.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Gert Doering]

Hi,

On Mon, Jul 17, 2017 at 02:22:55PM +0200, Jan Just Keijser wrote:
> On 17/07/17 14:14, Gert Doering wrote:
> > Hi,
> >
> > On Mon, Jul 17, 2017 at 02:10:11PM +0200, Jan Just Keijser wrote:
> >> this problem is NOT present in OpenVPN 2.3.17; the same warning appears 
> >> (route gateway is ambiguous) but the route is added
> >> anyway. This seems to be a regression in 2.4.
> > Can we have a log, please?
> attached: config and log (with hostnames anonymized)

This indeed is a regression, or a "non-handled special case in the iservice"
(waking up Selva and Heiko).

2.3 is calling route.exe, which seems to just handle this case fine
("the given gateway address is present on two different interfaces",
which I find ambiguous myself :-) ).

2.4 in your setup is using the interactive service...

> Mon Jul 17 14:18:43 2017 us=1227 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=1 
> u/d=up
> Mon Jul 17 14:18:43 2017 us=1227 C:\Windows\system32\route.exe ADD 
> 222.222.97.13 MASK 255.255.255.255 111.111.135.254
> Mon Jul 17 14:18:43 2017 us=1227 Warning: route gateway is ambiguous: 
> 111.111.135.254 (2 matches)
> Mon Jul 17 14:18:43 2017 us=1227 Route addition via service failed

... which notices that the gateway is ambiguous and refuses to cooperate.

Without checking the code, there's a few things here that are not good

 - that openvpn just goes ahead, while it "should" know that adding the
   "def1" default routes afterwards is going to make things explode
 - that we fail, instead of just installing the route (with warning) -
   which could either be "just pick an interface and log that" or "just
   pick no interface at all, and let windows routing figure this out"

> Mon Jul 17 14:18:43 2017 us=16827 Recursive routing detected, drop tun packet 
> to [AF_INET]222.222.97.13:1194
> Mon Jul 17 14:18:44 2017 us=108829 Recursive routing detected, drop tun 
> packet to [AF_INET]222.222.97.13:1194

Now *this* is actually good news :-) - instead of blowing up your CPU,
we notice that we're stuck and log that.


As a workaround, what you might do instead...

 - connect over IPv6 - the IPv6 code is different and I'm curious what
   it will do :-)

 - use "--ip-win32 ipapi" (+ run gui as admin) to avoid using the 
   interactive service

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Samuli Seppänen]

On 18/10/2017 10:43, Илья Шипицин wrote:
> 
> 
> 2017-07-17 17:07 GMT+05:00 David Woodhouse  >:
> 
> On Fri, 2017-07-14 at 17:07 +0300, Samuli Seppänen wrote:
> > Hi all,
> >
> > Those of you who use pkcs11 on Windows: could you please test this new
> > Windows installer:
> >
> >
> >
> > The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
> > some regression testing would be good to have.
> 
> Please include the pkcs11-helper patch from
> https://github.com/OpenSC/pkcs11-helper/pull/4
>  to make it support
> using
> RFC7512 PKCS#11 URIs to specify certificates/keys instead of its own
> non-standard identifiers.
> 
> 
> 
> David, can you have a look, please ?
> 
> https://github.com/OpenVPN/openvpn-build/pull/110
I added this as a topic for today's meeting, with links to earlier
discussion. It seems we agreed that patching the 2.4 Windows installers
would be fine.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Илья Шипицин]

2017-07-17 17:07 GMT+05:00 David Woodhouse :

> On Fri, 2017-07-14 at 17:07 +0300, Samuli Seppänen wrote:
> > Hi all,
> >
> > Those of you who use pkcs11 on Windows: could you please test this new
> > Windows installer:
> >
> >
> >
> > The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
> > some regression testing would be good to have.
>
> Please include the pkcs11-helper patch from
> https://github.com/OpenSC/pkcs11-helper/pull/4 to make it support using
> RFC7512 PKCS#11 URIs to specify certificates/keys instead of its own
> non-standard identifiers.
>


David, can you have a look, please ?

https://github.com/OpenVPN/openvpn-build/pull/110


>
> (It still accepts the old form, for compatibility).
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[David Woodhouse]

On Wed, 2017-07-26 at 11:16 +0200, David Sommerseth wrote:
> On 26/07/17 10:02, David Woodhouse wrote:
> [...snip...]
> > 
> > 
> > Well yes, that's true. But it's more likely that I'll finally get round
> > to porting OpenVPN to something other than pkcs11-helper before that
> > happens, unfortunately.
> TL;DR:  If you or anyone else have a chance to look into this, we will
> appreciate that effort enormously!  Just grab us on ML or the
> #openvpn-devel IRC channel (FreeNode) and we can discuss it further.
> 
> 
> Steffan and I discussed what is needed to be done to port p11-kit awhile
> ago; we're also not too happy about the pkcs11-helper dependency.  If we
> had only had support for one SSL library, it probably would have been
> somewhat simpler.  But as we strive hard to have both mbed TLS and
> OpenSSL builds to be fairly feature comparable (from an OpenVPN
> perspective), this gets a bit more challenging.
> 
> IIRC, one of the more challenging parts here is to get p11-kit to play
> nicely along with mbed TLS.  We are concerned that there are some need
> to also adopt mbed TLS to support p11-kit.  However, I quite recently
> heard some rumours that mbed TLS provides some API for offloading sign
> and decrypt operations outside of the library; that needs to be
> investigated further and to consider if this is a better way for the
> integration.

Yeah... in my Copious Spare Time I have also been looking at
integrating PKCS#11 support as a first-class citizen into OpenSSL. You
really ought to be able to just pass a PKCS#11 URI instead of a
filename into fairly much any API and have it Just Work.

But implementing the basic crypto primitives in libp11-kit might be
interesting, which makes it easier to wrap them for various crypto
libraries.


smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[David Sommerseth]

On 26/07/17 10:02, David Woodhouse wrote:
[...snip...]
> 
> Well yes, that's true. But it's more likely that I'll finally get round
> to porting OpenVPN to something other than pkcs11-helper before that
> happens, unfortunately.

TL;DR:  If you or anyone else have a chance to look into this, we will
appreciate that effort enormously!  Just grab us on ML or the
#openvpn-devel IRC channel (FreeNode) and we can discuss it further.


Steffan and I discussed what is needed to be done to port p11-kit awhile
ago; we're also not too happy about the pkcs11-helper dependency.  If we
had only had support for one SSL library, it probably would have been
somewhat simpler.  But as we strive hard to have both mbed TLS and
OpenSSL builds to be fairly feature comparable (from an OpenVPN
perspective), this gets a bit more challenging.

IIRC, one of the more challenging parts here is to get p11-kit to play
nicely along with mbed TLS.  We are concerned that there are some need
to also adopt mbed TLS to support p11-kit.  However, I quite recently
heard some rumours that mbed TLS provides some API for offloading sign
and decrypt operations outside of the library; that needs to be
investigated further and to consider if this is a better way for the
integration.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[David Woodhouse]

On Tue, 2017-07-25 at 23:56 +0200, Emmanuel Deloget wrote:
> A single patch would not a a problem for distro maintainers, but
> subsequent/future changes in the forked repository might introduce
> other, less compatible changes in the library, leading to two versions
> of the same library, with maybe the same ABI and the same name 

Don't Do That Then. :)

It's one thing to have a simple patch which makes it accept the RFC
compliant identifiers that the upstream maintainer is being weirdly
recalcitrant about, without changing the API/ABI at all.

To add other things to a "fork"... or really even to consider it a
fork... would be silly.

> And you also have to take into account weird people like me who also
> add their own changes into various libraries or binaries to suit their
> needs (the whole "hey, it's free software, I can change it" thing).
> Pointing them to a fork is not going to work well IMHO.

People who build from source can already merge the fix into their
pkcs11-helper or not as they see fit; this conversation was about the
*binaries* being provided. AFAIK the only binary being provided for
pkcs11-helper is on Windows; there are Ubuntu binaries but if they have
PKCS#11 support they'll be using the system's version of pkcs11-helper. 
(Which probably also lacks the patch; I have rarely seen any sign of
anyone in Debian/Ubuntu caring about doing the right thing w.r.t. any
crypto-related stuff, unfortunately.)

>  It would be better if the maintainer finally decide to either
> implement the required change or merge your patch to the library.

Well yes, that's true. But it's more likely that I'll finally get round
to porting OpenVPN to something other than pkcs11-helper before that
happens, unfortunately.



smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Emmanuel Deloget]

Hi David, other,

It seems that my "I'm using my phone, sorry for top posting" went far
beyond that because I also forgot to add the list as a recipient.

So, here is my message (minus the top-posting) sent to David only (sorry David)

On Tue, Jul 25, 2017 at 9:21 PM, David Woodhouse  wrote:
>
> On Tue, 2017-07-25 at 19:53 +0300, Samuli Seppänen wrote:
> >
> > I released the new Windows installer but without this patch. That said,
> > the patch/PR you linked to makes sense. Does the patch have an active
> > maintainer?
>
> That would be me, I suppose. Until/unless the upstream maintainer
> applies the patch, I or someone else will continue to maintain the
> patch in the Fedora package at least.
>
> > If yes, then I propose is that we
> >
> > - Fork OpenSC/pkcs11-helper to OpenVPN/pkcs11-helper
> > - Apply the patch to our fork
> > - Produce and publish our own pkcs11-helper tarballs
> > - Point openvpn-build to our tarballs
> > - Periodically rebase our fork with upstream
> >
> > Thoughts?
>
>
> Hi,
>
> Sorry for the top posting, I'm writing that from my phone.
>
> To add to the NAK, such a move would make integration to various embedded
> distribution more difficult, as maintainers may have to deal with 2 versions 
> of the
> same lib (with possibly different behavior needed by different binaries).
>
> Do I would advise against such a solution.
>
> Best regards,
>
> -- Emmanuel Deloget

To which David replied (hope you don't mind if I quote you):

> There is no API/ABI change. One accepts cert identifier strings confirming
> to RFC7512, the other (without the patch) doesn't.
>
> So aside from the RFC-compliance they are interchangeable.

(I think I'm already using this patch, so thanks you David for your work).

A single patch would not a a problem for distro maintainers, but
subsequent/future changes in the forked repository might introduce
other, less compatible changes in the library, leading to two versions
of the same library, with maybe the same ABI and the same name -- and
that worries me a bit (not that much, but I also maintain a fork of
lede for my own purpose, and I'm not sure I'd like to deal with such
complexity :)). Aviding that would require a library name change and
I'm not sure it's a good thing at all.

And you also have to take into account weird people like me who also
add their own changes into various libraries or binaries to suit their
needs (the whole "hey, it's free software, I can change it" thing).
Pointing them to a fork is not going to work well IMHO. It would be
better if the maintainer finally decide to either implement the
required change or merge your patch to the library.

Best regards,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[David Woodhouse]

On Tue, 2017-07-25 at 19:53 +0300, Samuli Seppänen wrote:
> 
> I released the new Windows installer but without this patch. That said,
> the patch/PR you linked to makes sense. Does the patch have an active
> maintainer? 

That would be me, I suppose. Until/unless the upstream maintainer
applies the patch, I or someone else will continue to maintain the
patch in the Fedora package at least.

> If yes, then I propose is that we
> 
> - Fork OpenSC/pkcs11-helper to OpenVPN/pkcs11-helper
> - Apply the patch to our fork
> - Produce and publish our own pkcs11-helper tarballs
> - Point openvpn-build to our tarballs
> - Periodically rebase our fork with upstream
> 
> Thoughts?

Well, there's always the option of ditching pkcs11-helper entirely...
:)

smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Gert Doering]

Hi,

On Tue, Jul 25, 2017 at 10:18:53PM +0500,  ?? wrote:
> that said, I think such build events should go to openvpn's Makefile.

NAK.  OpenVPN's Makefile does not care where pkcs11-helper is coming 
from - it expects something proper to be installed in the build 
environment.  It's not OpenVPN's job to figure out where to get stuff
from - this is why we have openvpn-build for "complicated" cases.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Илья Шипицин]

2017-07-25 21:53 GMT+05:00 Samuli Seppänen :

> On 17/07/2017 15:07, David Woodhouse wrote:
> > On Fri, 2017-07-14 at 17:07 +0300, Samuli Seppänen wrote:
> >> Hi all,
> >>
> >> Those of you who use pkcs11 on Windows: could you please test this new
> >> Windows installer:
> >>
> >>
> >>
> >> The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
> >> some regression testing would be good to have.
> >
> > Please include the pkcs11-helper patch from
> > https://github.com/OpenSC/pkcs11-helper/pull/4 to make it support using
> > RFC7512 PKCS#11 URIs to specify certificates/keys instead of its own
> > non-standard identifiers.
> >
> > (It still accepts the old form, for compatibility).
> >
>
> I released the new Windows installer but without this patch. That said,
> the patch/PR you linked to makes sense. Does the patch have an active
> maintainer? If yes, then I propose is that we
>
> - Fork OpenSC/pkcs11-helper to OpenVPN/pkcs11-helper
> - Apply the patch to our fork
> - Produce and publish our own pkcs11-helper tarballs
> - Point openvpn-build to our tarballs
> - Periodically rebase our fork with upstream
>
> Thoughts?
>


well, I think we should unify build events across all projects.
i.e. openvpn should be built the same way no matter who builds (openvpn
itself, openvpn-build, travis ci or whatever).


that said, I think such build events should go to openvpn's Makefile.
and we will need to update things in the single place (currently - a lot of
places).


another idea is to rework the patch and merge it into the main fork.


>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Samuli Seppänen]

On 17/07/2017 15:07, David Woodhouse wrote:
> On Fri, 2017-07-14 at 17:07 +0300, Samuli Seppänen wrote:
>> Hi all,
>>
>> Those of you who use pkcs11 on Windows: could you please test this new
>> Windows installer:
>>
>>
>>
>> The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
>> some regression testing would be good to have.
> 
> Please include the pkcs11-helper patch from
> https://github.com/OpenSC/pkcs11-helper/pull/4 to make it support using
> RFC7512 PKCS#11 URIs to specify certificates/keys instead of its own
> non-standard identifiers.
> 
> (It still accepts the old form, for compatibility).
> 

I released the new Windows installer but without this patch. That said,
the patch/PR you linked to makes sense. Does the patch have an active
maintainer? If yes, then I propose is that we

- Fork OpenSC/pkcs11-helper to OpenVPN/pkcs11-helper
- Apply the patch to our fork
- Produce and publish our own pkcs11-helper tarballs
- Point openvpn-build to our tarballs
- Periodically rebase our fork with upstream

Thoughts?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Илья Шипицин]

2017-07-17 17:07 GMT+05:00 David Woodhouse :

> On Fri, 2017-07-14 at 17:07 +0300, Samuli Seppänen wrote:
> > Hi all,
> >
> > Those of you who use pkcs11 on Windows: could you please test this new
> > Windows installer:
> >
> >
> >
> > The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
> > some regression testing would be good to have.
>
> Please include the pkcs11-helper patch from
> https://github.com/OpenSC/pkcs11-helper/pull/4 to make it support using
> RFC7512 PKCS#11 URIs to specify certificates/keys instead of its own
> non-standard identifiers.
>

openvpn is split into several repo, we have pkcs11-helper at least here:

https://github.com/OpenVPN/openvpn-build/blob/master/generic/build.vars#L12


and here:

https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L38

it is not trivial to maintain distro + patch (while openvpn-build does
include a "patch" folder).

thoughts?



>
> (It still accepts the old form, for compatibility).
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[David Woodhouse]

On Fri, 2017-07-14 at 17:07 +0300, Samuli Seppänen wrote:
> Hi all,
> 
> Those of you who use pkcs11 on Windows: could you please test this new
> Windows installer:
> 
> 
> 
> The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
> some regression testing would be good to have.

Please include the pkcs11-helper patch from
https://github.com/OpenSC/pkcs11-helper/pull/4 to make it support using
RFC7512 PKCS#11 URIs to specify certificates/keys instead of its own
non-standard identifiers.

(It still accepts the old form, for compatibility).

smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Jan Just Keijser]

On 17/07/17 14:14, Gert Doering wrote:

Hi,

On Mon, Jul 17, 2017 at 02:10:11PM +0200, Jan Just Keijser wrote:

this problem is NOT present in OpenVPN 2.3.17; the same warning appears (route 
gateway is ambiguous) but the route is added
anyway. This seems to be a regression in 2.4.

Can we have a log, please?



attached: config and log (with hostnames anonymized)

JJK

Mon Jul 17 14:18:33 2017 us=360410 Current Parameter Settings:
Mon Jul 17 14:18:33 2017 us=360410   config = 'nikhef-udp-pkcs11.ovpn'
Mon Jul 17 14:18:33 2017 us=360410   mode = 0
Mon Jul 17 14:18:33 2017 us=360410   show_ciphers = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   show_digests = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   show_engines = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   genkey = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   key_pass_file = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   show_tls_ciphers = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   connect_retry_max = 0
Mon Jul 17 14:18:33 2017 us=360410 Connection profiles [0]:
Mon Jul 17 14:18:33 2017 us=360410   proto = udp
Mon Jul 17 14:18:33 2017 us=360410   local = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   local_port = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   remote = 'vpnserver'
Mon Jul 17 14:18:33 2017 us=360410   remote_port = '1194'
Mon Jul 17 14:18:33 2017 us=360410   remote_float = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   bind_defined = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   bind_local = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   bind_ipv6_only = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   connect_retry_seconds = 5
Mon Jul 17 14:18:33 2017 us=360410   connect_timeout = 120
Mon Jul 17 14:18:33 2017 us=360410   socks_proxy_server = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   socks_proxy_port = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   tun_mtu = 1500
Mon Jul 17 14:18:33 2017 us=360410   tun_mtu_defined = ENABLED
Mon Jul 17 14:18:33 2017 us=360410   link_mtu = 1500
Mon Jul 17 14:18:33 2017 us=360410   link_mtu_defined = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   tun_mtu_extra = 0
Mon Jul 17 14:18:33 2017 us=360410   tun_mtu_extra_defined = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   mtu_discover_type = -1
Mon Jul 17 14:18:33 2017 us=360410   fragment = 0
Mon Jul 17 14:18:33 2017 us=360410   mssfix = 1450
Mon Jul 17 14:18:33 2017 us=360410   explicit_exit_notification = 0
Mon Jul 17 14:18:33 2017 us=360410 Connection profiles END
Mon Jul 17 14:18:33 2017 us=360410   remote_random = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   ipchange = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   dev = 'tun'
Mon Jul 17 14:18:33 2017 us=360410   dev_type = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   dev_node = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   lladdr = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   topology = 1
Mon Jul 17 14:18:33 2017 us=360410   ifconfig_local = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   ifconfig_remote_netmask = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   ifconfig_noexec = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   ifconfig_nowarn = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   ifconfig_ipv6_local = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   ifconfig_ipv6_netbits = 0
Mon Jul 17 14:18:33 2017 us=360410   ifconfig_ipv6_remote = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   shaper = 0
Mon Jul 17 14:18:33 2017 us=360410   mtu_test = 0
Mon Jul 17 14:18:33 2017 us=360410   mlock = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   keepalive_ping = 0
Mon Jul 17 14:18:33 2017 us=360410   keepalive_timeout = 0
Mon Jul 17 14:18:33 2017 us=360410   inactivity_timeout = 0
Mon Jul 17 14:18:33 2017 us=360410   ping_send_timeout = 0
Mon Jul 17 14:18:33 2017 us=360410   ping_rec_timeout = 0
Mon Jul 17 14:18:33 2017 us=360410   ping_rec_timeout_action = 0
Mon Jul 17 14:18:33 2017 us=360410   ping_timer_remote = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   remap_sigusr1 = 0
Mon Jul 17 14:18:33 2017 us=360410   persist_tun = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   persist_local_ip = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   persist_remote_ip = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   persist_key = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   passtos = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   resolve_retry_seconds = 10
Mon Jul 17 14:18:33 2017 us=360410   resolve_in_advance = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   username = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   groupname = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   chroot_dir = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   cd_dir = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   writepid = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   up_script = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   down_script = '[UNDEF]'
Mon Jul 17 14:18:33 2017 us=360410   down_pre = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   up_restart = DISABLED
Mon Jul 17 14:18:33 2017 us=360410   up_delay = DISABLED
Mon Jul 17 

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Gert Doering]

Hi,

On Mon, Jul 17, 2017 at 02:10:11PM +0200, Jan Just Keijser wrote:
> this problem is NOT present in OpenVPN 2.3.17; the same warning appears 
> (route gateway is ambiguous) but the route is added 
> anyway. This seems to be a regression in 2.4.

Can we have a log, please?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Jan Just Keijser]

Follow-up:

this problem is NOT present in OpenVPN 2.3.17; the same warning appears (route gateway is ambiguous) but the route is added 
anyway. This seems to be a regression in 2.4.


JJK


On 17/07/17 14:01, Jan Just Keijser wrote:

Hi all,

On 17/07/17 12:34, Samuli Seppänen wrote:

On 15/07/2017 00:43, Jan Just Keijser wrote:

Hi Samuli,

On 14/07/17 16:07, Samuli Seppänen wrote:

Hi all,

Those of you who use pkcs11 on Windows: could you please test this new
Windows installer:




The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
some regression testing would be good to have.

I'd like to push the updated installer out early next week, preferably
on Monday.


nice to see that pkcs11 support is still included in the Windows
version; I can test the installer on monday morning(no Windows laptop in
my house ;))  I will let you know my findings.

cheers,

JJK


Hi JJK,

Excellent, thanks! I will push out the new installer if everything looks
good at your end.



good news and bad news:

+ the pkcs11 stuff works as expected, no problems there
- with openvpn 2.4.3 my existing setup using "redirect-gateway def1"  stopped 
working!

I'll downgrade OpenVPN to see if this problem was already there in 2.3.XX ; 
what happens is this:
- openvpn wants to add a direct route to the VPN server
- there happen to be TWO gateways to that server with the SAME IP address, one 
via wired ethernet, one via wireless
- openvpn gets confused and says "route gateway is ambiguous" and refuses to 
add it
- after that, all traffic is jammed, as there is no direct route to the VPN server itself, and thus all encrypted traffic is 
fed back into the tunnel, where it is encrypted again, etc etc ("biting your own tail").


Disconnecting either wired or wireless solves the issue AFTER restarting 
OpenVPN. Annoying.
It looks like a (minor) patch is needed to deal with this special case

cheers,

JJK


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Илья Шипицин]

2017-07-17 17:01 GMT+05:00 Jan Just Keijser :

> Hi all,
>
> On 17/07/17 12:34, Samuli Seppänen wrote:
>
>> On 15/07/2017 00:43, Jan Just Keijser wrote:
>>
>>> Hi Samuli,
>>>
>>> On 14/07/17 16:07, Samuli Seppänen wrote:
>>>
 Hi all,

 Those of you who use pkcs11 on Windows: could you please test this new
 Windows installer:

 


 The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
 some regression testing would be good to have.

 I'd like to push the updated installer out early next week, preferably
 on Monday.

 nice to see that pkcs11 support is still included in the Windows
>>> version; I can test the installer on monday morning(no Windows laptop in
>>> my house ;))  I will let you know my findings.
>>>
>>> cheers,
>>>
>>> JJK
>>>
>>> Hi JJK,
>>
>> Excellent, thanks! I will push out the new installer if everything looks
>> good at your end.
>>
>>
> good news and bad news:
>
> + the pkcs11 stuff works as expected, no problems there
> - with openvpn 2.4.3 my existing setup using "redirect-gateway def1"
> stopped working!
>
> I'll downgrade OpenVPN to see if this problem was already there in 2.3.XX
> ; what happens is this:
> - openvpn wants to add a direct route to the VPN server
> - there happen to be TWO gateways to that server with the SAME IP address,
> one via wired ethernet, one via wireless
> - openvpn gets confused and says "route gateway is ambiguous" and refuses
> to add it
>

@mattock , can we have community meeting, please ?

there were a discussion (regarding changes in openvpn-gui <--> openvpn-core
interoperation) on how to serve routing issues.

there were two suggestions, either make route errors fatal or translate
them to openvpn-gui level.

currently, it is no good

(yes, current error would not have been resolved by those changes, but
error indication would be more clear)



> - after that, all traffic is jammed, as there is no direct route to the
> VPN server itself, and thus all encrypted traffic is fed back into the
> tunnel, where it is encrypted again, etc etc ("biting your own tail").
>
> Disconnecting either wired or wireless solves the issue AFTER restarting
> OpenVPN. Annoying.
> It looks like a (minor) patch is needed to deal with this special case
>
> cheers,
>
> JJK
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Samuli Seppänen]

On 17/07/2017 15:01, Jan Just Keijser wrote:
> Hi all,
> 
> On 17/07/17 12:34, Samuli Seppänen wrote:
>> On 15/07/2017 00:43, Jan Just Keijser wrote:
>>> Hi Samuli,
>>>
>>> On 14/07/17 16:07, Samuli Seppänen wrote:
 Hi all,

 Those of you who use pkcs11 on Windows: could you please test this new
 Windows installer:

 



 The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
 some regression testing would be good to have.

 I'd like to push the updated installer out early next week, preferably
 on Monday.

>>> nice to see that pkcs11 support is still included in the Windows
>>> version; I can test the installer on monday morning(no Windows laptop in
>>> my house ;))  I will let you know my findings.
>>>
>>> cheers,
>>>
>>> JJK
>>>
>> Hi JJK,
>>
>> Excellent, thanks! I will push out the new installer if everything looks
>> good at your end.
>>
> 
> good news and bad news:
> 
> + the pkcs11 stuff works as expected, no problems there
> - with openvpn 2.4.3 my existing setup using "redirect-gateway def1" 
> stopped working!
> 
> I'll downgrade OpenVPN to see if this problem was already there in
> 2.3.XX ; what happens is this:
> - openvpn wants to add a direct route to the VPN server
> - there happen to be TWO gateways to that server with the SAME IP
> address, one via wired ethernet, one via wireless
> - openvpn gets confused and says "route gateway is ambiguous" and
> refuses to add it
> - after that, all traffic is jammed, as there is no direct route to the
> VPN server itself, and thus all encrypted traffic is fed back into the
> tunnel, where it is encrypted again, etc etc ("biting your own tail").
> 
> Disconnecting either wired or wireless solves the issue AFTER restarting
> OpenVPN. Annoying.
> It looks like a (minor) patch is needed to deal with this special case
> 
> cheers,
> 
> JJK
> 

Hi,

Thanks for testing! I will push out the new installer tomorrow,
hopefully in the morning (EEST).

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Jan Just Keijser]

Hi all,

On 17/07/17 12:34, Samuli Seppänen wrote:

On 15/07/2017 00:43, Jan Just Keijser wrote:

Hi Samuli,

On 14/07/17 16:07, Samuli Seppänen wrote:

Hi all,

Those of you who use pkcs11 on Windows: could you please test this new
Windows installer:




The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
some regression testing would be good to have.

I'd like to push the updated installer out early next week, preferably
on Monday.


nice to see that pkcs11 support is still included in the Windows
version; I can test the installer on monday morning(no Windows laptop in
my house ;))  I will let you know my findings.

cheers,

JJK


Hi JJK,

Excellent, thanks! I will push out the new installer if everything looks
good at your end.



good news and bad news:

+ the pkcs11 stuff works as expected, no problems there
- with openvpn 2.4.3 my existing setup using "redirect-gateway def1"  stopped 
working!

I'll downgrade OpenVPN to see if this problem was already there in 2.3.XX ; 
what happens is this:
- openvpn wants to add a direct route to the VPN server
- there happen to be TWO gateways to that server with the SAME IP address, one 
via wired ethernet, one via wireless
- openvpn gets confused and says "route gateway is ambiguous" and refuses to 
add it
- after that, all traffic is jammed, as there is no direct route to the VPN server itself, and thus all encrypted traffic is fed 
back into the tunnel, where it is encrypted again, etc etc ("biting your own tail").


Disconnecting either wired or wireless solves the issue AFTER restarting 
OpenVPN. Annoying.
It looks like a (minor) patch is needed to deal with this special case

cheers,

JJK


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Samuli Seppänen]

On 15/07/2017 00:43, Jan Just Keijser wrote:
> Hi Samuli,
> 
> On 14/07/17 16:07, Samuli Seppänen wrote:
>> Hi all,
>>
>> Those of you who use pkcs11 on Windows: could you please test this new
>> Windows installer:
>>
>> 
>>
>>
>> The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
>> some regression testing would be good to have.
>>
>> I'd like to push the updated installer out early next week, preferably
>> on Monday.
>>
> nice to see that pkcs11 support is still included in the Windows
> version; I can test the installer on monday morning(no Windows laptop in
> my house ;))  I will let you know my findings.
> 
> cheers,
> 
> JJK
> 

Hi JJK,

Excellent, thanks! I will push out the new installer if everything looks
good at your end.

Samuli

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

[Jan Just Keijser]

Hi Samuli,

On 14/07/17 16:07, Samuli Seppänen wrote:

Hi all,

Those of you who use pkcs11 on Windows: could you please test this new
Windows installer:



The previous installer(s) had pkcs11-helper 1.11. This one has 1.22, so
some regression testing would be good to have.

I'd like to push the updated installer out early next week, preferably
on Monday.

nice to see that pkcs11 support is still included in the Windows 
version; I can test the installer on monday morning(no Windows laptop in 
my house ;))  I will let you know my findings.


cheers,

JJK


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel